LONDON (Reuters) – Russian suspected hackers have accessed the systems of a US internet provider and an Arizona county government as part of an extensive cyber espionage campaign unveiled this week, according to an analysis of publicly available web logs.
The hack, which hijacked the ubiquitous network management software developed by SolarWinds Corp to compromise a number of US government agencies and was first reported by Reuters, is one of the largest ever discovered and sent to teams. security around the world struggling to control the damage.
Entries into networks at Cox Communications and local government in Pima County, Arizona, show that along with victims, including the US Department of Defense, State and Homeland Security, hackers have also spied on less visible organizations.
A Cox Communications spokesman said the company was working “non-stop” with the help of external security experts to investigate any consequences of the SolarWinds compromise. “The security of the services we provide is a top priority,” he said.
In comments sent to Reuters by e-mail, Pima County Chief Information Officer Dan Hunt said his team followed the US government’s advice to take the SolarWinds software offline immediately after the hack was discovered. He said investigators found no evidence of another violation.
Reuters identified the victims as running a coding script released here on Friday by researchers at Moscow’s cybersecurity firm Kaspersky to decrypt online web records left behind by attackers.
The type of web registration, known as CNAME, includes a unique identifier encoded for each victim and shows which of the thousands of “back doors” available to hackers have chosen to open, said Kaspersky researcher Igor Kuznetsov.
“Most of the time these back doors just sleep,” he said. “But then the real hack begins.”
CNAME records regarding Cox Communications and Pima County were included in a list of technical information published here by the American cyber security company FireEye Inc, which was the first victim to discover and reveal that it was hacked.
John Bambenek, a security researcher and president of Bambenek Consulting, said he also used the Kaspersky tool to decode CNAME records published by FireEye and found that they are connected to Cox Communications and Pima County.
Records show that the back doors at Cox Communications and Pima County were activated in June and July this year, the peak of hacking activity so far identified by investigators.
It is not clear what information, if any, has been compromised.
SolarWinds, which revealed its involuntary role at the heart of the global hack, said up to 18,000 users of Orion software have downloaded a compromised update containing malicious code planted by attackers.
As the aftermath continued to fly Washington on Thursday, with a confirmed violation at the U.S. Department of Energy, U.S. officials warned that hackers used other methods of attack and urged organizations not to take protection if they did not use recent versions of the software. and SolarWinds.
Microsoft, which was one of thousands of companies that received the malicious update, said it has now notified more than 40 customers whose networks have been further infiltrated by hackers.
About 30 of those customers were in the United States, he said, and the remaining victims were found in Canada, Mexico, Belgium, Spain, the United Kingdom, Israel and the United Arab Emirates. Most information technology companies have operated, as have some think tanks and government organizations.
“It is certain that the number and location of the victims will continue to rise,” Microsoft President Brad Smith said in a blog post here.
“Installing this malware created an opportunity for attackers to track and choose from these customers the organizations they wanted to attack, which they apparently did in a narrower and more focused way.”
Reporting by Jack Stubbs; Editing by Chris Sanders and Edward Tobin